Foreword

E-business, one of the fastest -growing segments of the information technology industry, is changing the face of commerce as we know it. Conducting business on the Web is rapidly becoming a fundamental element of how organizations conduct business with each other, as well as with their customers. Web-based systems do not stand alone. Rather, they are the integration of many existing enterprise systems, processes, and protocols, oftentimes reengineered to leverage the capabilities inherent in the Web-based systems and to afford new capabilities. The value is not in the technology piece parts but in the rapid creation of new business solutions.

All technologies introduce risks into businesses. The challenge is in managing these risks. Some of the risks originate from the complexity of the solutions designed to address a company's business needs; other risks are inherent in the technologies chosen to address these needs. To meet these risks, we have seen the rise of various security technologies, such as antivirus scanners , firewalls, intrusion-detection systems, virtual private networks (VPNs), public-key cryptography, and the Secure Sockets Layer (SSL) protocol.

The Web is no exception. Although it offers new opportunities for creating markets and marketplaces , the risks it introduces have driven the creation of new and innovative solutions. These include authenticating and authorizing users of the system, protecting transactions from malevolent hackers, enforcing access control, guaranteeing privacy, and offering federated identity management.

An enterprise system usually comprises heterogeneous systems. Enabling these systems to communicate and integrate to form useful end-to-end solutions is essential, as much of the growth is not in the creation of entirely new systems but in making legacy systems and services accessible via the Web. This is achieved with greater ease when the enterprise system's key elements, including security, are based on open standards. Using open standards greatly simplifies the complexity and cost of development. Enabling open standards in the industry can happen only when there is an open exchange of ideas and cooperation between vendors .

This book takes an in-depth look at the development of enterprise applications based on the Java 2 Platform, Enterprise Edition (J2EE), which enables integration of existing subsystems into more powerful Web-based enterprise systems. This book focuses on the set of security standards that support and enhance a J2EE environment, including SSL, Kerberos authentication and authorization, secret- and public-key cryptography, Public-Key Cryptography Standards (PKCS), Secure/Multipurpose Internet Mail Extensions, and the Web Services Security specification. Rather than taking a piecewise view of security, this book's perspective is broader. The industry is making a shift from programmatic security to declarative security. The goal is to manage security through policies rather than via security code being written into every application, which is much more expensive to maintain and upgrade as new threats and risks are identified.

This book is the result of IBM's technical leadership and strength in security, middleware, and on-demand computing, as well as a long-standing collaboration between IBM's Software Group and Research Division. This collaboration has brought together people from around the world, creating a partnership dedicated to providing value to the marketplace in a dynamic business and technical environment.

For a long time, there has been a need for a J2EE security book. I am very happy to see that there is now such a book to answer many of the technical questions that developers, managers, and researchers have about such a critical topic. I am sure that this book will contribute greatly to the success of the J2EE platform and e-business.

Steven  A.  Mills
Senior  Vice  President  and  Group  Executive
Software  Group,  IBM  Corporation